security: CWE-1188: Harbor admin password override — VC-53730

[torresashjiancyber]

Summary

This PR remediates CWE-1188 (Insecure Default Initialization) by ensuring the Harbor admin password is set from the CloudFormation AdminPassword parameter instead of using Harbor's default password.

Finding

Vulnerability: Harbor registry deployed with default admin credentials
CVSS: 8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
CWE: CWE-1188 (Insecure Default Initialization) / CWE-521 (Weak Password Requirements)

The Harbor deployment in scripts/registry/harbor_ec2.yaml accepted an AdminPassword CloudFormation parameter but never used it to configure Harbor. Harbor would deploy with its well-known default password (Harbor12345), allowing any attacker who can reach the Harbor endpoint to authenticate as admin with default credentials.

Remediation

Changes made:

1. scripts/registry/harbor_ec2.yaml: Added sed command in UserData script to set harbor_admin_password in harbor.yml using the AdminPassword parameter value
2. scripts/registry/env-vars-template.sh: Updated template to remove hardcoded default password and instruct users to set password matching their CloudFormation deployment

Approach: Minimal, focused fix that:

• Configures Harbor to use the admin password provided via CloudFormation parameter
• Updates documentation template to guide users away from default credentials
• Does not modify any other Harbor configuration or deployment logic

Verification

• ✅ Changes limited to 2 files (CloudFormation template and env vars template)
• ✅ No build/test regressions (no build/test infrastructure detected in repo)
• ✅ Diff report generated in reports/VC-53730/

Security impact: Harbor instances deployed with this fix will no longer use default credentials. The admin password is set to the value provided in the CloudFormation AdminPassword parameter (which requires minimum 8 characters per the parameter constraint).